1.4.0 (2016-09-09)¶
Make sure that Child CAs never expire after their parents. If the user specifies an expiry after that of the parent, it is silently changed to the parents expiry.
Make sure that certificates never expire after their CAs. If the user specifies an expiry after that of the parent, throw an error.
Rename the
--days
parameter of thesign_cert
command to--expires
to match what we use forinit_ca
.Improve help-output of
--init-ca
and--sign-cert
by further grouping arguments into argument groups.Add ability to add CRL-, OCSP- and Issuer-URLs when creating CAs using the
--ca-*
options.Add support for the
nameConstraints
X509 extension when creating CAs. The option to theinit_ca
command is--name-constraint
and can be given multiple times to indicate multiple constraints.Add support for the
tlsfeature
extension, a.k.a. “TLS Must Staple”. Since OpenSSL 1.1 is required for this extension, support is currently totally untested.